12% of e-mail users have actually tried to buy stuff from spam

Good luck trying to find an Internet user who admits to responding to spam. …

Be honest: have you ever responded to a spam e-mail? Do you know anyone who has? If you're like most of us at Ars, you can't fathom why anyone would respond to most of the messages we get, but a new study released by the Messaging Anti-Abuse Working Group (MAAWG) shows that there are just enough people responding to make spamming worthwhile—especially since most spam these days is sent by botnets.

According to the group's latest report, a disturbing number of e-mail users respond to spam, and not just because they're dumb—some of them did so because they were actually interested in the product or service. Shocking, we know.

Admitting the secret shame

The MAAWG conducted 800 interviews by phone and Internet across the US with people who had e-mail addresses not managed by a corporate IT staff. It found that two-thirds of the group said that they were very or somewhat experienced with Internet security, and a majority used filters of some kind in order to avoid spam. Eighty-two percent were aware of bots and botnets, though not many believed they were at risk of being victimized by one.

Slightly less than half (48 percent) said that they have never clicked on a spam e-mail. That's the good news, but that means the other half have clicked on or responded to spam. But why? The answers will undoubtedly horrify you. A full 12 percent said that they were interested in the product or service being offered—those erection drug and mail order bride ads do reach a certain market, it appears.

Seventeen percent said that they made a mistake when they did so—understandable—but another 13 percent said they simply had no idea why they did it; they just did. Another six percent "wanted to see what would happen."

(Interestingly, a larger percentage of people who were interviewed by phone said that they had never acted on a spam message compared to those who answered online. Guess it's true that users would rather not admit their foibles when speaking to a real person.)

"Although a small percentage of the computing population, these numbers still earn a significant enough return on investment to support a booming spam-driven underground economy," wrote MAAWG. Indeed, with spam making up a very large majority of all e-mail traffic—Microsoft recently claimed it was at 97 percent—even low sellthrough rates are enough to make things very profitable. With botnets supposedly sending more than 80 percent of that spam (according to Symantec), there are now relatively few man-hours involved in making money from a spam-based business. Just set it and forget it.

It's hard to believe that so many people respond to spammers for any reason—much less because they actually want to buy something, but that's human nature for you. Glancing through my spam folder, the offers range from setting me up with a "lovely Russian woman TODAY!!!!" to "amazing" work from home opportunities (joke's on them—I already work from home).

Needless to say, I'm not responding, but someone is. Have you ever responded to spam?

Jacqui Cheng
Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more. Emailjacqui@arstechnica.com//Twitter@eJacqui

Originally posted by Goronmon:"That's the good news, but that means the other half have clicked on or responded to spam. But why?"

Because some spam e-mails can be hilarious to read. As far as going the next step and actually clicking links or paying for stuff? No way.

A combination of this and laptop touch pads / sensitive mice would account for a lot of people actually clicking on SPAM (if we're all being honest here). That's a bit of a flaw in the questioning methodology.

I don't remember having ever click to a spam, but who knows, maybe I did it in my pristine years in the beginning of the 2000s. If I had done it, it was very forgetable. However, thanks to GMail, all this rubish is efficiently filtered and doesn't bother me anymore.

Anyway, since the time spam plagues our mails, why didn't anyone have created a new mail sending protocol, which would be a bit more secure than this 'I tell it what I want' SMTP? Ever since I've studied it during in college, I'm still surprised by the fact it can be told whatever garbage we like to tell it without any kind of control or authentication.

Have I ever responded? Sure, but not to the spammer - normally to abuse@ISP, with copies out to the appropriate Usenet groups. Stopped doing it a few years ago though, as I have better things to do with my time.

I've been in a position professionally and personally to help advise people to resist this sort of marketing. I have investigated a couple of the more believable emails that hit my junk folder by opening the URL in a browser running in a virtual machine with the "disk undo" feature enabled. Not to actually buy anything, of course, but so I'd know what the more trusting among my friends, family and colleagues are up against. Over the years, the advertisements have become more competently executed.

I presume we're considering a narrow definition of SPAM as that class of randomly targeted bulk email that's selling things that are probably ineffective at best and illegal at worst. I.e., *not* the email notices of upgrades/sales from companies with whom we've previously done business. Some people think that's spam.

Did the respondents know the difference between commercial email and SPAM? For instance, buying something from a NewEgg email advertisement that you signed up for is not the same as buying from a spammer. Hard to believe that percentage is buying from actual SPAM.

There is a lot of confusion on this point, even by people that should know better.

Once I did reply to a 419 scammer. I sent him a reply with a zipped copy of the "receipt" for the money i sent him. Hopefully he tried opening it on multiple systems before he figured out what it was. lol

I'm looking for a new job, and just yesterday I responded to a post for a $1200 30-day diet pill study under the biotech jobs section of Craigslist. I got a legit looking email back saying I was the right age, height, and weight that sent me to a site to fill out a form. The only way I spotted the spam was because they asked for credit card information for "shipping purposes only". A google search later and I figured out how close I came to getting ripped off.

I just can't understand why anyone would buy MEDICAL PRESCRIPTIONS from a shady online spammer. Who knows what's in it -- there's a good reason why we have doctors and pharmacies with trained and licensed pharmacists. As for non-Viagra stuff, has there ever been a "test" of the spammers to see if they really deliver if you buy?

i get about 400-500 spam massages a day, most of them are useless crap. there are few that more reasonable, and some of them even advertise things that i potentially might want to get, but i follow the rule "never respond to spam, no matter how attractive it is".also there is soft spam, so called mailings from companies that i bought something, but did not explicitly ask not to ever send me anything. i politely follow steps to remove myself from their lists, but it is still annoying.

Originally posted by David Bradbury:As for non-Viagra stuff, has there ever been a "test" of the spammers to see if they really deliver if you buy?

I'd never buy anything from actual spam, but I did buy an asthma inhaler from some dodgy south pacific website a few years ago. they delivered, and it was the exact same thing I'd previously received from the pharmacy for a lot more money.

I don't reply to it, but I Do like to take screenshots of the ones with good headlines. One of my favorites: "Add more meat for better taste." Wasn't sure if that was boner pills or some sort of steak/bacon advertisement!

There are two different questions here. Have you ever bought something from a spammer and have you ever clicked on a spam message.

I wouldn't be surprised if I've come home drunk or whatever from some party and found the spam amusing enough to see what they were saying. Hell, I've even been curious enough sober to click on phishing email once or twice to see how well they did it.

@David Bradbury

Are you really surprised that people will try to purchase drugs of abuse or sex aids from shady sources? I mean it's not like most drug dealers aren't shaddy.

Well, if the things they sold were legit, sure I'd take some. I'm not overly well endowed, and another 3" wouldn't hurt. And hell, I'd like to make 3,000/week working from home too. That'd be good money.

It's just that people think this might actually be true. WTF?

Although some of t hem are pretty funny--I click one 'em sometimes too cause well, some of the phishing scams are hilarious.

There is some research going on that makes mail slow to send. Too slow to make botnets worthwhile. A new type of SMTP server that makes your computer first do a mathematical problem that takes a lot of CPU time before sending the message. Even a second or two is enough to slow down botnets.

Another suggestion is to have to manually authenticate when sending a lot of mail. Your local server could hold off sending and send you a warning that bulk email is about to be sent and require a confirmation. This would alert a lot of people to botnets running on their system, and give them a chance to remove them.

I've certainly been interested in a few of the items listed in spam emails (no, not the viagra type... but the shamwow and slanket, for example, as gifts). However, although the spam may have given me the idea for the item, I always went to google to actually find the item myself... never did I click through on a spam email.

In that sense, maybe it's just laziness on the user's part to simply click through and "trust" that they'll get to the page they want? Too often I have people who simply don't know what the address bar in their browser is... these are the types of people I can surely see clicking through.

The moral of the story is - maybe these clueless people need to be taken off the internet, in order to help alleviate spam!

Still of the opinion spammers and botnet creators/herders should be hunted down and punished with a severity that would make Joseph Stalin's corpse blush. It's so frustrating that law enforcement has so little impact on the situation.That being said, some education seems to be in order. We've somehow got to convince people it's up to them to help stop spam. The best strategy is to never ever respond to anything unsolicited. If you're interested in a Russian bride, go find one yourself, don't use the oh-so-convenient spam email link. Unfortunately, depending on users to change their behavior is unrealistic.

Originally posted by gustav_1:There is some research going on that makes mail slow to send. Too slow to make botnets worthwhile. A new type of SMTP server that makes your computer first do a mathematical problem that takes a lot of CPU time before sending the message. Even a second or two is enough to slow down botnets.

Why not do something useful with this CPU time instead of just some throwaway calculations? Do a couple folding@Home calculations and send them off with the mail after a few seconds.

Hell, if this were implemented, I'd click on spam all the time just to encourage people to make botnets that do useful things

Yes I've responded to spam, but not by replying to it or clicking through. I always forward it to someone who'll take care of it, like KnujOn for instance.

When I've made efforts to reach the spammer, it's because I've been warning the person or business that their message constitutes spam. Usually, people are angry to be made aware their "direct marketing" is spam, and some threaten legal action, which is funny, seeing as the law's on my side.

But that isn't what you meant by "respond", is it? You meant "fell for", right?

Originally posted by gustav_1:There is some research going on that makes mail slow to send. Too slow to make botnets worthwhile. A new type of SMTP server that makes your computer first do a mathematical problem that takes a lot of CPU time before sending the message. Even a second or two is enough to slow down botnets.

Evidently the researchers aren't aware that bots include their own SMTP servers. Idiots.

quote:

Another suggestion is to have to manually authenticate when sending a lot of mail. Your local server could hold off sending and send you a warning that bulk email is about to be sent and require a confirmation. This would alert a lot of people to botnets running on their system, and give them a chance to remove them.

Mail servers already require authentication. Even if bots didn't use their own SMTP server, why would authentication present any kind of a barrier? (Hint: computers are good at automation.)

These are the same people that end up with bots installed on their PCs and then wonder why their PC starts acting strangely. The saying is true, no one has ever gone broke underestimating the intelligence of the (American) public. Judging by the fines levied against some of the spammers that have been prosecuted, spam can make you very wealthy, at least until you get caught.

I guess I'm the odd guy out... I actually clicked on (and BOUGHT!) something from what was (at the time) considered spam, but that was a long time ago. In fact, the spam was from a normal mom-and-pop software/hardware business in New Jersey back in late 2001-early 2002. They got my email in one of those "can I buy your subscriber list to send out target ads" deals that we popular back then but are now MUCH rarer since they eventually caused such blowback. I needed a couple of OEM licenses for Windows XP Pro, and an install media; they had a good price listed in the email, I checked them out at the various consumer feedback places (not perfect, but a B overall after a few hundred responses), and checked they're website. Since they were legit, I bought the licenses... saved about $50 over what I would have paid NewEgg, which was not the king it is today back then, but was one of the less expensive other places I found. The licenses came, along with the single install disk... both were perfect, unused, both valid, and I STILL have that OS and the two licenses running on two machines to this day. Not bad for $150. Now, would I do it again?

HECK NO! And I wouldn't have done it then if they hadn't checked out. I don't even look at spam anymore. Oh, and I'm VERY tech savvy, was back then, too... I'd been on the Internet with a home connection (no, not AOL, a SLIP connection) since 1994, when I was getting my Masters in Computer Science. But that was a more civil time.

Originally posted by qst330:The 12% responding should be banned from the net.

This.

It's like having 12% -or whatever figure- of drivers on the road weaving across lanes, stopping suddenly on the highway for no reason, causing traffic jams...

I'm glad that someone is finally looking at the other half of the spam problem, namely the ignorant people who pay the spammers' salaries, but I hope these studies go further and call for action. The spammers themselves should still be punished to the fullest extent possible (including public decapitations as needed), but no one should likewise fund the spamming industry without consequences.

If this means someone's grandma gets her keyboard taken away, too bad. This has gone on long enough.

And no, we will never see a new mail protocol as long as one unnamed monopoly continues to dominate the email world. They are the only holdout not using open standards.

You have to define "spam" in order for the question to make sense. If the definition is any advertisement sent by email then you bet I've bought stuff. Albums from iTunes notifications, items on sale at buy.com and countless other web sites, special offers from various manufacturers.

You have to decide where to draw the line and each person may do so differently if you simply ask about "spam". Companies I've done business with certainly don't consider their email spam. What about the companies they've sold my address to? I get all kinds of marketing by email that I sort of approved by checking or failing to uncheck a box somewhere. Some people consider all this spam, other people see this as legit and reserve the word for viagra ads.